libmount: restrict X-mount.subdir for non-root to Linux >= 6.15

The old-kernel subdir path uses namespace unsharing and string-based
move_mount() which is unsafe for restricted users (TOCTOU).  The safe
detached subdir open requires Linux >= 6.15.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/libmount/src/hook_subdir.c b/libmount/src/hook_subdir.c
index 030f80ed09dd62d824c8fdaec4207e30ae49d729..07663db4c43d0f8029044959df4e9c8e275cc1cb 100644 (file)
--- a/libmount/src/hook_subdir.c
+++ b/libmount/src/hook_subdir.c
@@ -345,6 +345,12 @@ static int hook_mount_pre(
        }
 #endif
 
+       if (mnt_context_target_fd_required(cxt)) {
+               DBG_OBJ(HOOK, hs, ul_debug(
+                       "subdir mount refused for non-root user (kernel < 6.15)"));
+               return -ENOTSUP;
+       }
+
        /* create unhared temporary target */
        hsd->org_target = strdup(mnt_fs_get_target(cxt->fs));
        if (!hsd->org_target)

diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc
index 48461b07b8e660d8700b3e814c739cdb0c277d83..c600723d9274c0578c468f4e525d475d7e17d964 100644 (file)
--- a/sys-utils/mount.8.adoc
+++ b/sys-utils/mount.8.adoc
@@ -806,6 +806,8 @@ For now, this feature is implemented by a temporary filesystem root-directory mo
 +
 Note that this feature will not work in session with an unshared private mount namespace (after *unshare --mount*) on old kernels or with *mount*(8) without support for file-descriptors-based mount kernel API. In this case, you need *unshare --mount --propagation shared*.
 +
+For unprivileged (non-root) users, this feature requires Linux >= 6.15 where the subdirectory is opened directly on the detached mount tree.
++
 This feature is EXPERIMENTAL.
 
 *X-mount.owner*=_username_|_UID_, *X-mount.group*=_group_|_GID_::